search

nre-learning / antidote-selfmedicate

Configs and scripts for spinning up a local instance of Antidote on your laptop for testing and lesson development
Apache License 2.0
12 stars 19 forks source link

Git self-signed cert in chain breaks pods #10

Closed mmellin closed 5 years ago

mmellin commented 5 years ago

Issue description

Syringe makes calls to git to clone the antidote-repo. When doing so in my locally running minikube setup (via antidote-selfmedicate), the Syringe pod crashes. This is due to the container git-clone receiving the following error: fatal: unable to access 'https://github.com/nre-learning/antidote.git/': SSL certificate problem: self signed certificate in certificate chain

This also happens when pulling up lessons in the antidote-web. For example, trying to access the lesson for git (lesson-14) will try to spin up a linux utility image and that pod will also have the same problem where it's git-clone container will experience the same certificate issue and message.

$ kubectl --namespace=17-jwtzfp5fy8ktyo33-ns logs pod/linux1 git-clone
Cloning into '/antidote'...
fatal: unable to access 'https://github.com/nre-learning/antidote.git/': SSL certificate problem: self signed certificate in certificate chain

Workaround

I found a workaround to get the syringe pod up, but not a workaround for the lessons issue. This workaround is to include the following line in syringe.yml within the antidote-selfmedicate folder:

git config --global http.sslVerify false

This might also work, but I haven't tried it yet because I'm not sure which certs to use or where they are stored:

git config --system http.sslCAPath /path/to/cacerts

https://confluence.atlassian.com/fishkb/unable-to-clone-git-repository-due-to-self-signed-certificate-376838977.html

Example usage in 'syringe.yml'

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: git-clone
data:
  git-clone.sh: |
    #!/bin/sh -e
    REPO=$1
    REF=$2
    DIR=$3
    # Init Containers will re-run on Pod restart. Remove the directory's contents
    # and reprovision when this happens.
    if [ -d "$DIR" ]; then
        rm -rf $( find $DIR -mindepth 1 )
    fi
    git config --global http.sslVerify false  #FIXME!!   <<<<<<<< WORKAROUND: ADD THIS LINE
    git clone $REPO $DIR
    cd $DIR
    git checkout --force $REF
Mierdin commented 5 years ago

Interesting - I don't run into this, and can't reproduce. Is it possible this is also caused by netskope? I know it attempts to do some SSL interception.

Also, the configmap approach is being deprecated. We now have a new githelper image and if we end up needing to make a change, we'll make it here and everything that uses it will receive the update.

Mierdin commented 5 years ago

Should also mention that https://github.com/nre-learning/antidote-selfmedicate/pull/8 will remove the need for Git entirely in favor of locally mapped directories. However, production will still continue to use Git so if the problem isn't directly caused by netskope, we'll still need to make the changes as I mentioned in my previous comment.

mmellin commented 5 years ago

Unfortunately I don't have a non-corporate laptop to try this out on. I suggest you try on your corporate laptop and see if there is a similar issue. I'm not sure exactly what could be going on here.

Regarding git and the limited Internet access from the pods to the Internet, are you planning to introduce a gitlab container as a "remote" repo to help enrich the git lessons?

Mierdin commented 5 years ago

Yes that's exactly right, eventually I'll get around to continuing the existing Git content and will include a Gitlab image then.

cloudtoad commented 5 years ago

Closing out issue.